Operational Risk Management Framework

Risk Definitions and Categories

Most Financial Institutions distinguish the following risk categories:


1. Credit risk
2. Legal risk
3. Market risk
4. Operational risk
5. Political risk

Picture1

Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. It includes the risk of reputational loss which is an indirect or 2nd order effect of operational risk.
Sometimes operational risk overlaps with the other risks. Rogue trading (e.g. Barings Singapore) is for example a risk generally monitored by market risk managers, but categorised under operational risk, given the fact that such a loss is primarily caused not by market factors but by operational failures. Other examples of overlapping are credit losses due to failures in the legal processing of collateral, insurance losses due to exposures unknown/not-reported, etc.
‘Sometimes operational risk overlaps with the other risks’
‘Operational risk’ is an umbrella-category for a number of sub-operational risks, among which the following are distinguished;

1. Processing failure
2. Control failure
3. Unauthorised activities
4. Internal criminal activities
5. External criminal activities
6. Information security failure
7. Employment practices & workplace safety
8. Clients, products, business malpractice
9. Business disruption
10. System failure

Each of these risks has a related function, responsible for the management process and oversight of that risk. The risk categories ‘Criminal activities’ (e.g. fraud) and ‘Business disruption’ are for example the responsibility of the Security function. The risk category ‘Clients, products, business malpractice’ is the responsibility of the Legal & Compliance function. The risk category ‘Control failure’ is the responsibility of the Risk Management functions and the Finance function. The risk category ‘Information security’ failure is the responsibility of the Corporate IT/Information Security and Information Risk Management functions. etc. The internal and external audit functions retain a status apart from all of these functions in that it provides an independent watch over the well-functioning of any and all of the aforementioned processes.